Session ID Not Updating after Session.Abandon call

Question

User-1871023568 posted

Hi,

   I am trying to update Session ID after every successful login by user. For that I Have abandoned the current Session and redirecting the flow to a middle page and loading the User specific settings there and then redirecting the flow to default page of User. But during this process I observed that the Session ID in not getting updated. I think I am missing something here, but could not recognize what?

Can someone please Help?

Thanks in Advance.

Regards,

Paramhans

Answer 1

User-1637433209 posted

see this link

http://weblogs.asp.net/kodali/archive/2010/04/29/asp-net-session-on-browser-close.aspx

Answer 2

User-366017857 posted

Hi,

The proper way to create a session variable is:

Session["VarName"] = value;

Next to remove an item from the session state:

Session.Remove("VarName");

To clear all session variables use:

Session.Clear();

Answer 3

User-1871023568 posted

My intension is to create a new Session After successfull login so as to avoid Cross Site Scripting attacks.

Answer 4

User11528697 posted

Its normal for ASP.Net framework to reuse the session id. Here is what you do to make sure id is not reused.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

Here is the link that has why IDs are reused.
http://support.microsoft.com/kb/899918

Answer 5

User11528697 posted

If your intention to prevent a cross site scripting attack, then you need to look into standard procedure of using a unique variable stored on page and in session which is compared on post back to make sure you are not being sent replay of previous requests. Search for "CSRF fix for asp.net" in gogle and you will find lot of discussion and code to help you with it.

Answer 6

User-1871023568 posted

Thanks for the link. It has resolved my problem.

Thanks again.